How is it possible to implement a slowban that will not be a tool for DoS to our site?
The problem is that a deliberate delay in serving an http response will keep server resources busy (web server threads and possibly other subsystems).
If your web application is complex and takes up considerable resources, it might be the wrong place to implement a slowban due to the problematic of a slowloris-attack.
Instead, you could introduce the slowban by proxying your application through a lightweight proxy or webserver like lighttpd or nginx serving from cache and static content and utilizing your firewall. From there, you may shape the bandwidth in your firewall, keeping the needed resources relatively low, as the connection of a troll is mainly served by the lightweight proxy instead of your heavy application server.
While this has some dangers to consider in itself (namely to enable a possibly insecure application to insert ip-based rules in your firewall), iptables and the kernel are relatively easy on resources.
The only thing you have to consider is the amount of open connections your system may tolerate and when to start killing the longest open connections to make room for new ones. Definetly prepare your site for fighting against low bandwidth-attacks.
You could incorporate the slowban with resource monitoring so that if it becomes apparent the slowbanned user is attempting to DoS, they will be permabanned instead.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With